Consistent Valid Physically-Realizable Adversarial Attack Against Crowd-Flow Prediction Models
<p dir="ltr">Recent works have shown that deep learning (DL) models can effectively learn city-wide crowd-flow patterns, which can be used for more effective urban planning and smart city management. However, DL models have been known to perform poorly on inconspicuous adversarial pe...
محفوظ في:
| المؤلف الرئيسي: | |
|---|---|
| مؤلفون آخرون: | , , , |
| منشور في: |
2023
|
| الموضوعات: | |
| الوسوم: |
إضافة وسم
لا توجد وسوم, كن أول من يضع وسما على هذه التسجيلة!
|
| _version_ | 1864513510171475968 |
|---|---|
| author | Hassan Ali (3348749) |
| author2 | Muhammad Atif Butt (10849980) Fethi Filali (12646471) Ala Al-Fuqaha (4434340) Junaid Qadir (16494902) |
| author2_role | author author author author |
| author_facet | Hassan Ali (3348749) Muhammad Atif Butt (10849980) Fethi Filali (12646471) Ala Al-Fuqaha (4434340) Junaid Qadir (16494902) |
| author_role | author |
| dc.creator.none.fl_str_mv | Hassan Ali (3348749) Muhammad Atif Butt (10849980) Fethi Filali (12646471) Ala Al-Fuqaha (4434340) Junaid Qadir (16494902) |
| dc.date.none.fl_str_mv | 2023-12-28T18:00:00Z |
| dc.identifier.none.fl_str_mv | 10.1109/tits.2023.3343971 |
| dc.relation.none.fl_str_mv | https://figshare.com/articles/journal_contribution/Consistent_Valid_Physically-Realizable_Adversarial_Attack_Against_Crowd-Flow_Prediction_Models/26393263 |
| dc.rights.none.fl_str_mv | CC BY 4.0 info:eu-repo/semantics/openAccess |
| dc.subject.none.fl_str_mv | Information and computing sciences Artificial intelligence Cybersecurity and privacy Data management and data science Machine learning Deep neural networks CFP adversarial ML Perturbation methods Standards Adaptation models Computer architecture Analytical models History Data models |
| dc.title.none.fl_str_mv | Consistent Valid Physically-Realizable Adversarial Attack Against Crowd-Flow Prediction Models |
| dc.type.none.fl_str_mv | Text Journal contribution info:eu-repo/semantics/publishedVersion text contribution to journal |
| description | <p dir="ltr">Recent works have shown that deep learning (DL) models can effectively learn city-wide crowd-flow patterns, which can be used for more effective urban planning and smart city management. However, DL models have been known to perform poorly on inconspicuous adversarial perturbations. Although many works have studied these adversarial perturbations in general, the adversarial vulnerabilities of deep CFP models in particular have remained largely unexplored. In this paper, we perform a rigorous analysis of the adversarial vulnerabilities of DL-based CFP models under multiple threat settings, making three-fold contributions; 1) we propose CaV-detect by formally identifying two novel properties— C onsistency a nd V alidity—of the CFP inputs that enable the detect ion of standard adversarial inputs with 0% false acceptance rate (FAR); 2) we leverage universal adversarial perturbations and an adaptive adversarial loss to present adaptive adversarial attacks to evade CaV-detect defense; 3) we propose CVP, a C onsistent, V alid and P hysically-realizable adversarial attack, that explicitly inducts the consistency and validity priors in the perturbation generation mechanism. We find out that although the crowd-flow models are vulnerable to adversarial perturbations, it is extremely challenging to simulate these perturbations in physical settings, notably when CaV-detect is in place. We also show that CVP attack considerably outperforms the adaptively modified standard attacks in FAR and adversarial loss metrics. We conclude with useful insights emerging from our work and highlight promising future research directions.</p><h2>Other Information</h2><p dir="ltr">Published in: IEEE Transactions on Intelligent Transportation Systems<br>License: <a href="https://creativecommons.org/licenses/by/4.0" target="_blank">https://creativecommons.org/licenses/by/4.0</a><br>See article on publisher's website: <a href="https://dx.doi.org/10.1109/tits.2023.3343971" target="_blank">https://dx.doi.org/10.1109/tits.2023.3343971</a></p> |
| eu_rights_str_mv | openAccess |
| id | Manara2_8578eb17f70a7f6a51101c12cf2063f0 |
| identifier_str_mv | 10.1109/tits.2023.3343971 |
| network_acronym_str | Manara2 |
| network_name_str | Manara2 |
| oai_identifier_str | oai:figshare.com:article/26393263 |
| publishDate | 2023 |
| repository.mail.fl_str_mv | |
| repository.name.fl_str_mv | |
| repository_id_str | |
| rights_invalid_str_mv | CC BY 4.0 |
| spelling | Consistent Valid Physically-Realizable Adversarial Attack Against Crowd-Flow Prediction ModelsHassan Ali (3348749)Muhammad Atif Butt (10849980)Fethi Filali (12646471)Ala Al-Fuqaha (4434340)Junaid Qadir (16494902)Information and computing sciencesArtificial intelligenceCybersecurity and privacyData management and data scienceMachine learningDeep neural networksCFPadversarial MLPerturbation methodsStandardsAdaptation modelsComputer architectureAnalytical modelsHistoryData models<p dir="ltr">Recent works have shown that deep learning (DL) models can effectively learn city-wide crowd-flow patterns, which can be used for more effective urban planning and smart city management. However, DL models have been known to perform poorly on inconspicuous adversarial perturbations. Although many works have studied these adversarial perturbations in general, the adversarial vulnerabilities of deep CFP models in particular have remained largely unexplored. In this paper, we perform a rigorous analysis of the adversarial vulnerabilities of DL-based CFP models under multiple threat settings, making three-fold contributions; 1) we propose CaV-detect by formally identifying two novel properties— C onsistency a nd V alidity—of the CFP inputs that enable the detect ion of standard adversarial inputs with 0% false acceptance rate (FAR); 2) we leverage universal adversarial perturbations and an adaptive adversarial loss to present adaptive adversarial attacks to evade CaV-detect defense; 3) we propose CVP, a C onsistent, V alid and P hysically-realizable adversarial attack, that explicitly inducts the consistency and validity priors in the perturbation generation mechanism. We find out that although the crowd-flow models are vulnerable to adversarial perturbations, it is extremely challenging to simulate these perturbations in physical settings, notably when CaV-detect is in place. We also show that CVP attack considerably outperforms the adaptively modified standard attacks in FAR and adversarial loss metrics. We conclude with useful insights emerging from our work and highlight promising future research directions.</p><h2>Other Information</h2><p dir="ltr">Published in: IEEE Transactions on Intelligent Transportation Systems<br>License: <a href="https://creativecommons.org/licenses/by/4.0" target="_blank">https://creativecommons.org/licenses/by/4.0</a><br>See article on publisher's website: <a href="https://dx.doi.org/10.1109/tits.2023.3343971" target="_blank">https://dx.doi.org/10.1109/tits.2023.3343971</a></p>2023-12-28T18:00:00ZTextJournal contributioninfo:eu-repo/semantics/publishedVersiontextcontribution to journal10.1109/tits.2023.3343971https://figshare.com/articles/journal_contribution/Consistent_Valid_Physically-Realizable_Adversarial_Attack_Against_Crowd-Flow_Prediction_Models/26393263CC BY 4.0info:eu-repo/semantics/openAccessoai:figshare.com:article/263932632023-12-28T18:00:00Z |
| spellingShingle | Consistent Valid Physically-Realizable Adversarial Attack Against Crowd-Flow Prediction Models Hassan Ali (3348749) Information and computing sciences Artificial intelligence Cybersecurity and privacy Data management and data science Machine learning Deep neural networks CFP adversarial ML Perturbation methods Standards Adaptation models Computer architecture Analytical models History Data models |
| status_str | publishedVersion |
| title | Consistent Valid Physically-Realizable Adversarial Attack Against Crowd-Flow Prediction Models |
| title_full | Consistent Valid Physically-Realizable Adversarial Attack Against Crowd-Flow Prediction Models |
| title_fullStr | Consistent Valid Physically-Realizable Adversarial Attack Against Crowd-Flow Prediction Models |
| title_full_unstemmed | Consistent Valid Physically-Realizable Adversarial Attack Against Crowd-Flow Prediction Models |
| title_short | Consistent Valid Physically-Realizable Adversarial Attack Against Crowd-Flow Prediction Models |
| title_sort | Consistent Valid Physically-Realizable Adversarial Attack Against Crowd-Flow Prediction Models |
| topic | Information and computing sciences Artificial intelligence Cybersecurity and privacy Data management and data science Machine learning Deep neural networks CFP adversarial ML Perturbation methods Standards Adaptation models Computer architecture Analytical models History Data models |